By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

tempted to cut corners on data encryption, but according to one expert, that's a dangerous mistake.

SearchSecurity.com:

To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

At the Computer Forensics Show this week, speaker James F. Dawson, former corporate forensic investigations expert with New York-based MetLife Inc., discussed the pain points of managing ESI in support of the insurance conglomerate's litigators.

While it's difficult to manage dozens of concurrent e-discovery matters for an enterprise with approximately 22 petabytes (or more than 22,500 terabytes) of data worldwide, Dawson said that's no excuse not to employ encryption, both at the file level and in the transport layer.

He said desktop encryption programs have evolved to the point where they are cheap to purchase and easy for the typical end user to work with after only minimal training.

In fact, Dawson's former organization practices what he preaches. "Any data that moves around, even within MetLife, gets encryption," he said, noting that transporting data from one business unit to another often means sending data across national or international borders.

But even if the encryption process is less burdensome for end users, that doesn't mean managing encrypted data is easy for a large organization. At MetLife, Dawson said when an e-discovery process begins and potentially relevant data is found, it's then encrypted, transported to data analysts, decrypted and analyzed. Then pertinent data is re-encrypted, moved to portable media, shipped and then finally decrypted again.

"In New York," Dawson said, "you don't want to appear in the Post because someone found the unencrypted disk and was able to check out your data."

Dawson noted that shipping data via courier is particularly troublesome, as up to 5% of shipments typically never reach their destination. While that makes encryption important, he said the process is for naught if encryption passphrases are written on a piece of paper and sent along with the package.

As a best practice for transporting encrypted data, Dawson advised providing passphrases by voice via phone or in a voicemail. Or, if a passphrase must be mailed, send it separately, prior to sending the data itself, and have it delivered to a different recipient or address.

For those IT organizations or teams that regularly work with encrypted data as part of a legal or e-discovery process, Dawson recommended setting up a buddy system between technologists and attorneys. That way, he said, IT can learn more about what the litigation team needs, while lawyers get a better sense of what IT can and can't do.

Dawson said that kind of communication also helps attorneys avoid making encryption-related mistakes.

"Attorneys still send email with native email application encryption schemes," he said. "Your kid could practically break that with the decoder ring in a cereal box."

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy